MFC r357092,357787: Add support for RFC 6598/Carrier Grade NAT subnets

to libalias and ipfw.

In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware.
Also, we add a new NAT option to ipfw called unreg_cgn, which is like
unreg_only, but also is RFC 6598-aware.  The reason for the new
flags/options is to avoid breaking existing networks, especially those
which rely on RFC 6598 as an external address.

Submitted by:	Neel Chauhan <neel AT neelc DOT org>
Reviewed by:	melifaro, rgrimes, Lutz Donnerhacke
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D22877
Differential Revision:	https://reviews.freebsd.org/D23448

4 files changed, 15 insertions, 3 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 0ad9c3a2e3fc..3f92bd4d759a 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -3228,8 +3228,11 @@ Deny any incoming connection from outside world.
 Try to leave the alias port numbers unchanged from
 the actual local port numbers.
 .It Cm unreg_only
-Traffic on the local network not originating from an
+Traffic on the local network not originating from a RFC 1918
 unregistered address spaces will be ignored.
+.It Cm unreg_cgn
+Like unreg_only, but includes the RFC 6598 (Carrier Grade NAT)
+address range.
 .It Cm reset
 Reset table of the packet aliasing engine on address change.
 .It Cm reverse
diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h
index 3585ab52fe63..ce12a45a4217 100644
--- a/sbin/ipfw/ipfw2.h
+++ b/sbin/ipfw/ipfw2.h
@@ -220,6 +220,7 @@ enum tokens {
 	TOK_DENY_INC,
 	TOK_SAME_PORTS,
 	TOK_UNREG_ONLY,
+	TOK_UNREG_CGN,
 	TOK_SKIP_GLOBAL,
 	TOK_RESET_ADDR,
 	TOK_ALIAS_REV,
diff --git a/sbin/ipfw/main.c b/sbin/ipfw/main.c
index 9dc20abfeab5..e30c236a5e50 100644
--- a/sbin/ipfw/main.c
+++ b/sbin/ipfw/main.c
@@ -43,8 +43,8 @@ help(void)
 "add [num] [set N] [prob x] RULE-BODY\n"
 "{pipe|queue} N config PIPE-BODY\n"
 "[pipe|queue] {zero|delete|show} [N{,N}]\n"
-"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|\n"
-"		reverse|proxy_only|redirect_addr linkspec|\n"
+"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|\n"
+"		reset|reverse|proxy_only|redirect_addr linkspec|\n"
 "		redirect_port linkspec|redirect_proto linkspec}\n"
 "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
 "set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"
diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c
index 15f4711dd8b7..16506d5a7dbe 100644
--- a/sbin/ipfw/nat.c
+++ b/sbin/ipfw/nat.c
@@ -60,6 +60,7 @@ static struct _s_x nat_params[] = {
  	{ "deny_in",		TOK_DENY_INC },
  	{ "same_ports",		TOK_SAME_PORTS },
  	{ "unreg_only",		TOK_UNREG_ONLY },
+ 	{ "unreg_cgn",		TOK_UNREG_CGN },
 	{ "skip_global",	TOK_SKIP_GLOBAL },
  	{ "reset",		TOK_RESET_ADDR },
  	{ "reverse",		TOK_ALIAS_REV },
@@ -663,6 +664,9 @@ nat_show_cfg(struct nat44_cfg_nat *n, void *arg)
 		} else if (n->mode & PKT_ALIAS_UNREGISTERED_ONLY) {
 			printf(" unreg_only");
 			n->mode &= ~PKT_ALIAS_UNREGISTERED_ONLY;
+		} else if (n->mode & PKT_ALIAS_UNREGISTERED_CGN) {
+			printf(" unreg_cgn");
+			n->mode &= ~PKT_ALIAS_UNREGISTERED_CGN;
 		} else if (n->mode & PKT_ALIAS_RESET_ON_ADDR_CHANGE) {
 			printf(" reset");
 			n->mode &= ~PKT_ALIAS_RESET_ON_ADDR_CHANGE;
@@ -789,6 +793,7 @@ ipfw_config_nat(int ac, char **av)
 		case TOK_SAME_PORTS:
 		case TOK_SKIP_GLOBAL:
 		case TOK_UNREG_ONLY:
+		case TOK_UNREG_CGN:
 		case TOK_RESET_ADDR:
 		case TOK_ALIAS_REV:
 		case TOK_PROXY_ONLY:
@@ -883,6 +888,9 @@ ipfw_config_nat(int ac, char **av)
 		case TOK_UNREG_ONLY:
 			n->mode |= PKT_ALIAS_UNREGISTERED_ONLY;
 			break;
+		case TOK_UNREG_CGN:
+			n->mode |= PKT_ALIAS_UNREGISTERED_CGN;
+			break;
 		case TOK_SKIP_GLOBAL:
 			n->mode |= PKT_ALIAS_SKIP_GLOBAL;
 			break;